BBB spam.. you must know what it looks like by now. Here are a couple of new domains:
perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)
twistedtarts.net
109.68.33.18 (Mesh Digital, UK)
Tuesday, 28 February 2012
"Your Flight" spam / cparabnormapoopdsf.ru
Date: Tue, 27 Feb 2012 03:53:09 +0530
From: sales1@victimdomain.com
Subject: Fwd: Your Flight N US787-8929269
Attachments: FLIGHT_TICKET_N3988-753843.htm
Dear Customer,
FLIGHT NUMBER 8333-452628141
DATE/TIME : MARCH 23, 2011, 16:15 PM
ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT
PRICE : 856.77 USD
Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).
To use your ticket you should print it.
LAKEISHA Wolff,
American Airlines
The payload is at cparabnormapoopdsf.ru:8080/images/aublbzdni.php (report here). As with other .ru:8080 attack, this one is multihomed on some familiar looking IPs:
50.31.1.105 (Steadfast Networks, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
A bare list for copy-and-pasting:
50.31.1.105
78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210
IRS Spam / pollypeach.com
Date: Tue, 27 Feb 2012 17:02:45 +0600
From: "Ofelia Childers"
Subject: IRS notification of your tax appeal status.
Dear Accountant Officer,
Hereby you are notified that your Income Tax Return Appeal id#0184348 has been REJECTED. If you believe the IRS did not properly assess your case due to a misinterpretation of the case details, be prepared to provide additional information. You can obtain the rejection report and re-submit your appeal under the following link Online Tax Appeal.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
The malicious payload is on pollypeach.com/search.php?page=73a07bcb51f4be71 and pollypeach.com/content/ap2.php?f=e4649 (see the report here), hosted on 69.163.45.128 (Directspace, US). Blocking the IP rather than the domain will stop any further infections from that server.
NACHA Spam / cgunikqakklsdpfo.ru
A terse version of the familiar NACHA fake spam, leading to malware:
The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.
The list of IPs gets a little shorter every time, but there are still some familiar hosts here:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
Date: Mon, 26 Feb 2012 12:16:40 +0530
From: accounting@victimdomain.com
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.
The list of IPs gets a little shorter every time, but there are still some familiar hosts here:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
BBB and AICPA spam / 110hobart.com
Two spam runs with essentially the same malicious payload..
Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:
Date: Mon, 26 Feb 2012 11:16:30 +0100
From: "Adan Jordan"
Subject: Tax return fraud notification.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of Public Account Status due to tax return fraud accusations
Valued AICPA member,
We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.
Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)
The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.
Date: Mon, 26 Feb 2012 12:30:50 +0100
From: "BBB"
Subject: BBB case ID 73773062
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 73773062) from your customer in regard to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
Arnold Melendez
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:
Date: Mon, 26 Feb 2012 11:16:30 +0100
From: "Adan Jordan"
Subject: Tax return fraud notification.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of Public Account Status due to tax return fraud accusations
Valued AICPA member,
We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.
Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)
The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.
Friday, 24 February 2012
AICPA Spam / synetworks.net and housespect.net
More fake AICPA spam leading to malware..
Date: Fri, 23 Feb 2012 12:29:00 +0100The links go through a legitimate hacked site to some obfuscated javascipt leading to a malicious payload on synetworks.net/main.php?page=2d057d472cd217e2 and synetworks.net/content/ap2.php?f=3dc5c (report here) hosted on 76.12.101.172 (HostMySite, US). That IP is also home to housespect.net which also appears to be malicious. Blocking the IP should prevent any other malicious sites on the same server from being a problem.
From: "Jonathon Humphrey"
Subject: Termination of your CPA license.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of Accountant status due to income tax fraud accusations
Dear AICPA member,
We have received a complaint about your alleged participation in income tax fraudulent activity on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be terminated in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.
Please be informed of the complaint below and provide your feedback to it within 7 days. The failure to respond within this term will result in withdrawal of your CPA license.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
==================
Date: Fri, 23 Feb 2012 12:28:45 +0100
From: "Dominic Moreno"
Subject: Your accountant license can be revoked.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of Public Account Status due to tax return fraud accusations
Dear accountant officer,
We have been informed of your alleged involvement in income tax fraudulent activity for one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant status can be revoked in case of the aiding of presenting of a incorrect or fraudulent tax return on the member's or a client's behalf.
Please be notified below and provide your feedback to it within 7 days. The failure to do so within this period will result in suspension of your Accountant status.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Thursday, 23 February 2012
HP OfficeJet spam / cruoinaikklaoifpa.ru and upjachkajasamns.ru
This isn't from a HP OfficeJet, the attachment leads to malware..
The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226
Date: Thu, 22 Feb 2012 05:04:38 +0700
From: scanner@victimdomain.com
Subject: Fwd: Re: Scan from a Hewlett-Packard Officejet #19152659
Attachments: HP_Officejet_02-23_OFCJET88353.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP OfficeJet 34612A.
Sent by: FELICE
Images : 0
Attachment Type: .HTML [Internet Explorer]
HP Officejet Location: --
The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226
AICPA Spam / srsopen.net
Another fake spam email claiming to be from AICPA, but actually leading to malware, this time on srsopen.net.
The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.
Date: Thu, 22 Feb 2012 11:29:29 +0100
From: "Guadalupe Kessler"
Subject: Fraudulent tax return assistance accusations.
You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of CPA license due to income tax fraud allegations
Valued accountant officer,
We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.
Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.
"You may be entitled to up to £3000 from mis-sold PPI" SMS Spam
I hadn't heard anything from these scummy SMS spammers recently, I assumed they had been busted in one of the recent crackdowns.
If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Urgent - You may be entitled to up to £3000 from mis-sold PPI on loans or credit cards. For a free no obligation check reply PPI or STOP to opt outThe sending number was +447866079549, although these spammers change their number more often than their underwear.
If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Wednesday, 22 February 2012
NACHA Spam / campingomotion.com
Another NACHA spam with a malicious payload:
The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.
From: The Electronic Payments Association filmeboo@filmeboo.com
Reply-To: The Electronic Payments Association
Date: 22 February 2012 21:46
Subject: Technical failure report
Valued Customer,
Unfortunately we notify you , that Direct Deposit payment (#ACH603865004417US) could not be completed, because of discontinued receipient account.
Direct Deposit procedure incomplete
Transaction # : ACH603865004417US
Information: Please download and print the transfer correction request below adjust the recipient banking details.
Transfer Report report-ACH603865004417US.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2012 NACHA - The Electronic Payments Association
The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.
"Urgent! Check the access to your card!" / cpojkjfhotzpod.ru
Date: Wed, 21 Feb 2012 06:09:01 -0800
From: "Keitha Hanks"
Subject: Urgent! Check the access to your card!
We have detected operations with large amounts on your card which fact had not previously been observed. Please, familiarize yourself with the copies and contact us in case these transfers of amounts were not made by you.
operations screenshot.jpg 103kb
With best regards
Keitha Hanks
MD5 check sum: xxxxxxxxxxxxxxxxxxxxx
The link in the spam goes to a legitimate hacked site and then cpojkjfhotzpod.ru:8080/images/aublbzdni.php as seen in this spam run. Blocking the list of IPs mentioned in that post is probably prudent.
Contract spam / cpojkjfhotzpod.ru
Date: Wed, 21 Feb 2012 07:17:49 +0800
From: "LARUE Riley"
Subject: Fw: Contract from LARUE
Attachments: Contract_Scan_N5005.htm
Good afternoon,
In the attached file I am forwarding you the Translation of the Job Contract
that I have just received yesterday. I am really sorry for the delay.
Best regards,
LARUE Riley, secretary
==========
Date: Wed, 21 Feb 2012 05:17:01 +0700
From: "DELORIS Hensley"
Subject: Fw: Contract of 09.06.2011
Attachments: Contract_Scan_N0395.htm
Dear Customers,
In the attached file I am forwarding you the Translation of the Job Contract
that I have just received yesterday. I am really sorry for the delay.
Best regards,
DELORIS Hensley, secretary
===========
Date: Wed, 21 Feb 2012 09:10:09 +0900
From: "ALISHA MCMILLIAN"
Subject: Fw: Contract from ALISHA
Attachments: Contract_Scan_N67448.htm
Dear Customers,
In the attached file I am transferring you the Translation of the Sales Contract
that I have just received today. I am really sorry for the delay.
Best regards,
ALISHA MCMILLIAN, secretary
==========
Date: Wed, 21 Feb 2012 04:41:45 +0700
From: "Drake Milton"
Subject: Fw: Contract of 09.06.2011
Attachments: Contract_Scan_N7682.htm
Hello,
In the attached file I am forwarding you the Translation of the Purchase Contract
that I have just received a minute ago. I am really sorry for the delay.
Best regards,
Drake Milton, secretary
==========
The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.
46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226
BBB Spam / energirans.net
Yet another malicious fake BBB spam run, this time with a malicious payload on the domain energirans.net.
energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.
Date: Wed, 21 Feb 2012 11:21:48 +0100The link in the email goes to a legitimate hacked site and then via some obfuscated javascript to energirans.net/main.php?page=598991e7306ac07e where it attempts to infect the machine with the Blackhole Exploit kit.
From: "BBB"
Subject: Better Business Bureau complaint
Attachments: betterbb_logo.jpg
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 15343433) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT below to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
Rebecca Wilcox
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.
AICPA Spam / favoriteburger.net
Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.
Date: Tue, 20 Feb 2012 22:31:55 -0300
From: "Gilbert Ayers"
Subject: Termination of your accountant license.
You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Cancellation of CPA license due to tax return fraud allegations
Valued accountant officer,
We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.
Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Tuesday, 21 February 2012
Some malware sites to block 21/2/12
These sites are being used in current spam runs to distribute the Blackhole Exploit Kit. You may want to block the IPs (mostly home PCs) or domains or both.
bestsecondchance.net
freac.net
likethisjob.com
synergyledlighting.net
sysfilecore.com
systemtestnow.com
thai4me.com
yourbeautifullife.net
41.64.21.71
69.76.48.235
98.213.116.76
115.249.190.46
151.56.49.48
151.70.111.200
174.48.136.189
For the record, those IPs are on the following providers:
41.64.21.71 (Dynamic ADSL, Egypt)
69.76.48.235 (Road Runner, US)
98.213.116.76 (Comcast, US)
115.249.190.46 (Reliance Communication, India)
151.56.49.48 (IUnet, Italy)
151.70.111.200 (IUnet, Italy)
174.48.136.189 (Comcast, US)
bestsecondchance.net
freac.net
likethisjob.com
synergyledlighting.net
sysfilecore.com
systemtestnow.com
thai4me.com
yourbeautifullife.net
41.64.21.71
69.76.48.235
98.213.116.76
115.249.190.46
151.56.49.48
151.70.111.200
174.48.136.189
For the record, those IPs are on the following providers:
41.64.21.71 (Dynamic ADSL, Egypt)
69.76.48.235 (Road Runner, US)
98.213.116.76 (Comcast, US)
115.249.190.46 (Reliance Communication, India)
151.56.49.48 (IUnet, Italy)
151.70.111.200 (IUnet, Italy)
174.48.136.189 (Comcast, US)
AICPA Spam / thai4me.com
From: Guillermo Reed risk.manager@aicpa.org
Date: 20 February 2012 11:18
Subject: Income tax return fraud accusations.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Termination of CPA license due to income tax fraud allegations
Dear AICPA member,
We have received a complaint about your possible involvement in income tax return fraud for one of your clients. According to AICPA Bylaw Paragraph 500 your Certified Public Accountant status can be terminated in case of the aiding of filing of a false or fraudulent tax return on the member's or a client's behalf.
Please be informed of the complaint below and respond to it within 14 days. The failure to provide the clarifications within this period will result in termination of your Accountant status.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
=================
Date: Tue, 20 Feb 2012 12:42:12 +0200
From: "Devon Staley"
Subject: Fraudulent tax return assistance accusations.
You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of CPA license due to tax return fraud accusations
Valued AICPA member,
We have been notified of your alleged involvement in tax return fraud for one of your employees. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the fact of submitting of a false or fraudulent income tax return for your client or employer.
Please find the complaint below below and provide your feedback to it within 21 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
=================
Date: Tue, 20 Feb 2012 11:38:30 +0100
From: "Ervin Witherspoon"
Subject: Termination of your accountant license.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of CPA license due to tax return fraud allegations
Dear AICPA member,
We have received a complaint about your recent assistance in income tax refund fraudulent activity on behalf of one of your employees. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant license can be withdrawn in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the notification below and provide your feedback to it within 7 days. The failure to provide the clarifications within this term will result in suspension of your Accountant license.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The link leads through a legitimate hacked site to thai4me.com/main.php?page=7d486a09d440e84a which attempts to download a Java exploit. The domain thai4me.com is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India). Those IPs also contain other malicious sites, blocking them is probably a good move.
Saturday, 18 February 2012
Why you shouldn't use "The Good Care Guide" (goodcareguide.co.uk)
The Good Care Guide (goodcareguide.co.uk) looks like an admirable thing at first glance - an independent way for user of care services for the elderly and infants to review the quality of care both good and bad. This is particularly useful with care for the elderly where there often isn't much information, and the site has generated a lot of press comment (for example, the BBC, Sky News and the Press Association).
So... is this an entirely altruistic service? Not really. The Good Care Guide is provided in part by My Family Care Ltd which specialises in providing emergency, out-of-hours and holiday homecare for children and the elderly (e.g. emergencychildcare.co.uk, outofschoolcare.co.uk, emergencyhomecare.co.uk and myfamilycare.co.uk). Not that there appears to be anything wrong with these services, in fact they look to be pretty good and fill an important market niche.
When you sign up to write a review for the Good Care Guide, you have to give pretty much ALL your personal information including home address and telephone number. OK, that's fair enough if you want to make sure that the reviews are genuine..
The catch comes with the privacy policy which to be fair spells out what they are going to do with your personal information very clearly.
So basically.. they will share your information with other parts of their own company, any referring website and indeed any third party business partner that they seem fit. OK, everybody needs to run a business but there is no opt out clause. If you want to write a review, then you are agreeing to receive marketing communication by email, post and even telephone regarding care services, essentially without limitation.
The Good Care Guide are not doing anything illegal. But childcare is expensive, and care for the elderly is very expensive. There is a lot of money to be made out of this type of care, and it looks like the operators of the Good Care Guide want a share of this market through their own paid-for services.
Until the Good Care Guide give an opt-out for marketing communications, then I cannot recommend this service as it looks suspiciously like a lead generator rather than a public service.
So... is this an entirely altruistic service? Not really. The Good Care Guide is provided in part by My Family Care Ltd which specialises in providing emergency, out-of-hours and holiday homecare for children and the elderly (e.g. emergencychildcare.co.uk, outofschoolcare.co.uk, emergencyhomecare.co.uk and myfamilycare.co.uk). Not that there appears to be anything wrong with these services, in fact they look to be pretty good and fill an important market niche.
When you sign up to write a review for the Good Care Guide, you have to give pretty much ALL your personal information including home address and telephone number. OK, that's fair enough if you want to make sure that the reviews are genuine..
The catch comes with the privacy policy which to be fair spells out what they are going to do with your personal information very clearly.
With whom we share your information
GCG may share your information with the following entities:
- Third-party vendors who provide services or functions on our behalf. Third-party vendors have access to and may collect information only as needed to perform their functions and are not permitted to share or use the information for any other purpose.
- Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately.
- Affiliated Web sites. If you were referred to GCG from another Web site, we may share your registration information, such as your name, email address, mailing address and telephone number about you with that referring Web site. We have not placed limitations on the referring Web sites' use of personal information and we encourage you to review the privacy policies of any Web site that referred you to GCG.
- Companies within our corporate family. We may share your personal information within the My Family Care Group. This sharing enables us to provide you with information about care services which might interest you.
So basically.. they will share your information with other parts of their own company, any referring website and indeed any third party business partner that they seem fit. OK, everybody needs to run a business but there is no opt out clause. If you want to write a review, then you are agreeing to receive marketing communication by email, post and even telephone regarding care services, essentially without limitation.
The Good Care Guide are not doing anything illegal. But childcare is expensive, and care for the elderly is very expensive. There is a lot of money to be made out of this type of care, and it looks like the operators of the Good Care Guide want a share of this market through their own paid-for services.
Until the Good Care Guide give an opt-out for marketing communications, then I cannot recommend this service as it looks suspiciously like a lead generator rather than a public service.
Friday, 17 February 2012
"Your accountant CPA license termination" spam / biggestsetter.com and 199.30.89.0/24
Date: Fri, 16 Feb 2012 14:35:18 +0200
From: "Mae Keller"
Subject: Your accountant CPA license termination.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of CPA license due to income tax fraud allegations
Dear AICPA member,
We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�
Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.
Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71 which attempts to download the Blackhole Exploit Kit. biggestsetter.com is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.
Some more examples:
Date: Fri, 16 Feb 2012 14:40:46 +0100
From: "Susie Smallwood"
Subject: Termination of your accountant license.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of CPA license due to tax return fraud accusations
Dear AICPA member,
We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===============
Date: Fri, 16 Feb 2012 14:25:24 +0100
From: "Alvaro Best"
Subject: Tax return fraud notification.
You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of Public Account Status due to tax return fraud allegations
Dear accountant officer,
We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.
Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===============
Date: Fri, 16 Feb 2012 14:21:48 +0100
To:
Subject: Fraudulent tax return assistance accusations.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of CPA license due to income tax fraud allegations
Dear AICPA member,
We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.
Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
freac.net is back with a BBB spam run
freac.net is a domain used by malicious spam email pretending to be from the BBB or NACHA, as in this example. In that case, freac.net was apparently hosted on an IP belonging to Huawei in the US, but shortly afterwards it went non-resolving.
Well, freac.net is back and so is the spam promoting it.. e.g.
Currenly freac.net is hosted on 46.4.226.18 and 41.64.21.71, the first is a server rented from Hetzner in Germany, oddly the second is an ADSL line in Cairo.
Anyway, blocking those IPs will stop any further infections from those IPs. A Wepawet report for this infection is here.
Well, freac.net is back and so is the spam promoting it.. e.g.
Date: Fri, 16 Feb 2012 14:30:35 +0530
From: "BBB"
Subject: BBB case ID 28764441
Attachments: betterbb_logo.jpg
Hello,
Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 28764441) from a customer of yours related to their dealership with you.
Please open the COMPLAINT REPORT below to find more information on this case and let us know of your position as soon as possible.
We are looking forward to hearing from you.
Regards,
Carlos Baxter
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
===========
Date: Fri, 16 Feb 2012 14:26:31 +0530
From: "BBB"
Subject: BBB complaint processing
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau would like to notify you that we have been sent a complaint (ID 78067910) from a customer of yours related to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this case and inform us about your opinion as soon as possible.
We are looking forward to hearing from you.
Faithfully,
Theresa Morris
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Currenly freac.net is hosted on 46.4.226.18 and 41.64.21.71, the first is a server rented from Hetzner in Germany, oddly the second is an ADSL line in Cairo.
Anyway, blocking those IPs will stop any further infections from those IPs. A Wepawet report for this infection is here.
Thursday, 16 February 2012
"Scan from a Hewlett-Packard Officejet" malicious spam / cserimankra.ru and samaragotodokns.ru
Another spam run with a malicious attachment:
These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)
If you need a bare set of IP addresses for pasting into a blocklist:
46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173
Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.
Date: Fri, 16 Feb 2012 11:24:56 +0700The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8
From: "VICTOR TALLEY"
Subject: Scan from a Hewlett-Packard Officejet 3906171
Attachments: HP_Scan-02.16_N05556.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 97687P.
Sent by: VICTOR
Images : 9
Attachment Type: .HTML [Internet Explorer]
Hewlett-Packard Location: machine location not set
Device: PFJ722DS0IDJ4996064
These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)
If you need a bare set of IP addresses for pasting into a blocklist:
46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173
Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.
Subscribe to:
Posts (Atom)